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Introduction 


Go has evolved from being a curiosity for the team at Google 
to being a battle-tested programming language supporting 
some of the world's most critical cloud-centric projects 
today. 


Thanks to its features like concurrency, garbage collection, clear 
syntax/semantics, and straightforward tooling, many notable 
companies use Go. It has many advantages that build quick 
go-to-market applications and lower costs for maintaining and 
rewriting complex code. 


The ease of cross-compiling Go programs helps compile binaries that 
run across all major platforms using a single system used for 
development, making it extremely handy for developers to test and 
distribute on target platforms. Developers often claim Go is excellent 
for building projects with speed. 


However, code security and ensuring code quality are serious 
challenges many engineering teams continuously battle. The risk 
level only increases the longer you neglect good code practices and 
tools. 


This document will discuss Go, its popularity, enterprise adoption, 
how to tackle code security and quality, and tools that can help. 
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Why enterprises 


use Go? 


Designed primarily at Google by Robert Griesemer, Rob Pike, 
and Ken Thompson, Go is an open-source programming 
language widely adopted for its simplicity and efficiency. 
Let's discuss the advantages that make Go shine over its 
competitors. 


SIMPLICITY 


Its procedural approach makes it easy for software developers to 
acquaint themselves with Go, especially if they have a foundation in 
C or Java. Using Go, programmers find it easier to navigate through 
complicated and complex code. As a result, you get cleaner, more 
reliable code. 


POWERFUL STANDARD LIBRARY 


Go Hosts is a standard library inclusive of a set of packages you can 

use with Go to build your products. The standard library is so robust, 
stable, and performant that it serves the purpose for many use cases 
without needing help from third-party packages. 


INCREASING NUMBER OF GO DEVEOPLERS 

Market research shows Go to be the most in-demand coding 
language across the globe. By placing Go at the frontline of your 
development strategy, you can access a repository of talent that will 
only increase, like its growing demand. 
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CROSS-PLATFORM LANGUAGE 


One of Go's most powerful features allows it to cross-compile for any 
foreign platform supported by Go. It comes with a rich toolchain that 
does not require you to access the target platform to build your 
package. This makes multi-platform distribution much more 
effortless. 


FAST AND ROBUST 


Go is a fast, statically typed, compiled language that compiles quickly 
to machine code. It is efficient in both compilation and execution and 
effective when writing reliable and robust software with the added 
convenience of concurrency mechanisms, garbage collection, and 
the power of run-time reflection. While it has a more straightforward 
approach than some of its competitors, it is still good at balancing 
expressiveness with safety to build robust software. 


BUILT-IN PACKAGE MANAGER 


In Go, external packages are distributed as modules and are called 
dependencies when the dependent projects incorporate them. Go's 
built-in package manager 'Go modules' helps projects written in Go 
easily use external dependencies. These modules make managing 
dependencies easier, including getting a module's source, upgrading, 
removing unused dependencies, and so on. 
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Notable companies using Go 


GOOGLE 


Google engineers primarily designed Go. They often use it for internal 
projects. Google Chrome and Google Earth have been created in this 
way. YouTube and the Google App Engine also use Go, Firebase, and 
Google's core data team. 


UBER 


Uber uses Go for the geofence service, which serves the user's 
location and product availability. Geofence makes it possible to 
precisely define the area with special requirements and implementing 
dynamic prices. 


TWITCH 


At Twitch, Go is used for the most-loaded systems. It is appreciated 
for perfectly managing problems encountered when displaying live 
video and simultaneous chats of many users. Above all, Go enabled 
Twitch to improve 20 times the GC (garbage collection) factor 
responsible for automatically managing dynamically allocated 
memory. 


DAILY MOTION 


Daily Motion is a video streaming service. Go's simplicity, its 
performance, and static type checking improved the automation of 
their APIs. This improvement made it possible to carry out many 
automation tests, which would otherwise caused unpredictable 
loads. 
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Where is Go being 


adopted? 


In a global context, 1.1 million professional Go developers use 
Go as a primary language. The number of experienced 
developers who use Go on the side while primarily using 
other programming languages is approximately 2.7 million. 


243K 


q 80K HiEurape 970K 
(38K 
63K a | 
South:America ee 132K 


Oceania 
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HOW IS GO BEING ADOPTED? 


Building API/RPC services (74%) and CLIs (65%) remain the most 
common uses of Go. Go is used similarly at large enterprises and 
smaller organizations. 


API/RPC services (returning non-HTML) (—_—__—_— 77 
A runnable/interactive program (CLI) ———ee eee 


Libraries or frameworks 


Sa 
Web services (returning HTML) ——— 48% 
Automation/scripts (e.g. pipelines, aggregation) — ee 
Agents and daemons (e.g. monitoring) a 
Data processing (e.g. pipelines, aggregation) ss 


Desktop/GUI applications -_ a 


Games Be 
Other 3% OES on 
2 2019 @ 
Mobile apps jj 3% 
0% 20% 40% 60% 80% 
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HOW IS GO USED IN SOFTWARE DEVELOPMENT? 


Web Services is the most popular area where Go is used, with a 
share of 36%, according to the results from the Developer Ecosystem 
survey 2020. 


Web Services 

Utilities (small apps for small tasks) 

IT Infrastructure 

Libraries / Frameworks 

System Software 

Database / Data Storage 

Programming Tools 

Business Intelligence / Data Science / Machine Learning 


Security 
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INDUSTRIES USING GO 


According to the Developer Ecosystem Survey 2020, Go 
programmers work mainly in IT Services, followed by Finance and 
FinTech, Cloud Computing/Platform, and other industries. 


36% _ a IT Services 

33% Es Finance and FinTech 

23% a Cloud Computing / Platform 

22% Big Data / Data Analysis 

22% Mobile Development 

21% Internet / Search Engines 

16% Sales / Distribution / Retail 

15% Other software 

13% Software Development Tools 

12% 77 Entertainment / Mass Media and Information / Publishing 


Financing and FinTech are adopting Go faster. In fact, Monzo, from 
the UK, built their whole bank using Go. 
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PLATFORM MANAGERS 


Go Modules is the most popular package manager among Go developers. Its 
adoption rose from 41% in 2019 to 82% in 2020. 


POPULARITY OF PACKAGE MANAGERS IN 2020 


8% 7% 
go modules dep godep govendor glide gom gpm 


TESTING FRAMEWORKS 


The proportion of developers using built-in testing fell from 64% in 
2018 to 44% in 2020. While the usage of other testing frameworks 
grew slightly in these years, we still see a decrease in built-in testing 
frameworks used overall. 


TESTING FRAMEWORKS BY GO DEVELOPERS 


built-in testing — testify gomock ginkgo go-sqimock gocheck goconvey 
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GO ROUTERS 
Gorilla/Mux and the standard library have remained the most used Go 
ROUTERS USED BY GO DEVELOPERS 


routers since 2018. 
36% 
30% 
8% 69 
‘0 6% 59 
2% We 


gorilla / mux standard go-chi / chi DS eae gocraft/web bmizerany/ go-zoo/ bone 
library httproute pat 


TOP 5 WEB FRAMEWORKS 
The usage of Gin framework has nearly doubled since 2018, while 
the rest of the web frameworks have largely remained stable. 


WEB FRAMEWORKS BY GO DEVELOPERS 


11% y 
7 


gin echo beego buffalo revel 


Source: [1] 
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Challenges 


Code security and systematically ensuring code quality are serious 
challenges many engineering teams continuously battle. The risk 
level only increases the longer you neglect good code practices and 
tooling. 


SECRET DETECTION 


Some secrets have predictable patterns; some do not. This 
uncertainty makes it challenging to capture all true secrets in the 
codebase without raising false positives, which can be a problem. 
Most reviews generally only consider the net difference between the 
current and proposed states and not the entire history of changes. 
This means if a commit adds a secret and later deletes it, it has a 
zero net effect that is not of interest to reviewers, but it should! In 
this process, the vulnerability continues to exist and goes 
unaccounted for. 


ADHERING TO OWASP TOP 10 


The OWASP Top 10 is an expert consensus of the most critical risks 
facing web applications and the teams who are developing them. It 
also provides a helpful framework one can use to prioritize their 
application's security efforts. The OWASP Top 10 can also be 
considered a ‘security compliance of source code' and helps users 
identify foreseeable risks. For any development team, it is crucial that 
their code, regardless of the programming language it is written in, 
adheres to these industry standards. 
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OVERVIEW 


OWASP TOP 10 


Al: Injection A6: Security Misconfiguration 

A2: Broken Authentication A7: Cross-site Scripting (XSS) 

A3: Sensitive Data Exposure A8: Insecure Deserialzation 

A4: XML External Entities AQ: Using Components with Known Vulnerabilities 
A5: Broken Access Control A10: Insufficient Logging and Monitoring 


Some examples of the impact of these vulnerabilities on large-scale 
operations are discussed below. 


TWITTER AND THE XXE BREACH 


Proving its prevalence as number 4 on the OWASP Top 10, an XXE 
vulnerability was discovered on Twitter. The exploit was remarkably 
simple but paid out a whopping $10,080 bounty to the security 
researcher. Its severity in allowing an attacker to read local files on 
the target system. Below is the POST request sent by the attacker, 
containing an XML payload which then returns the contents of the 
/etc/passwd file on the system: 


Response from server: 


<?xml version="1.0"?> 
<operation type="deliver"> 
<error code="1010" message="Unable to convert [root:x:0:0:root:/root:/bin/bash...[truncated 
by researcher] to an integer for [operatorld]"/> 
</operation> 


You can view the full publicized report on HackerOne here. 
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REMOTE CODE EXECUTION IN CDNJS OF CLOUDFLARE 


cdnjs is a free and open-source CDN service that offers JavaScript, 
CSS, images, and fonts for over 12% of all websites. The cdnjs 
project leverages Cloudflare's services. 


In April 2021, a vulnerability was disclosed to Cloudflare after a 
security researcher submitted a report after publishing a package to 
npm exploiting the vulnerability. Under attack was the backend 
(written in Go) responsible for automating library updates, helping 
less strain on their server, with the files served directly from 
Cloudflare's edge. 


The primary vector in this attack was the ability to craft a .tar.gz 
archive with a symbolic link and publish it to the nom registry. When 
the Cloudflare server pipeline extracted the content, it followed 
symlinks, and the hacker was able to overwrite local files using the 
pipeline user privileges. 


This vulnerability allowed the researcher to execute arbitrary code, 
granting the ability to modify assets and leak credentials. 
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Automation for code 
reviews 


Every development team tests its products, yet the 
delivered software will always have some form of defects. 
Security and quality assurance engineers strive to catch 
them before the product is released, but issues always 
creep in, and they often reappear, even with the best manual 
review processes. 


Engineering teams use various tools to ensure the code is correct, 
but manual checks continue to be the norm for reviewing code 
quality, style, and formatting. 


Once automated tests are incorporated in the development workflow, 
one can easily extend them to perform otherwise tedious, long 
processes with manual testing. Not only do automated tools help you 
save time, but they also bring in more efficiency, reliability, and 
speed in your operations. These advantages make automated 
software testing essential for development projects. Developers 
everywhere feel the pressure to ship code faster, so the last thing 
they need is slow processes. However, delivering code faster can not 
guarantee credible, high-quality code. Static code analysis tools help 
developers avoid unforeseen issues in production earlier in the 
Software Development Life Cycle and ensure code quality and 
security before the code makes it to production. 


Development teams who use static code analysis benefit from some 
indispensable advantages. 
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SUPPORT IN BUILDING A DEVOPS STRUCTURE 


Static code analysis also adds value to DevOps processes by 
creating an automated feedback loop. It identifies defects before 
running a program (e.g., between writing code and unit testing) to 
help developers know early in the development cycle if there are any 
problems in their code. This makes it easier to fix those problems 
before shipping. 


ENFORCING CODE STANDARD 


Most static code analysis tools run on rules, so it's essential to make 
sure they align with organizational goals. For example, in some highly 
regulated environments, the rules help ensure security compliance. 
Tools like these allow developers to work independently without 
intervention while ensuring they're developing along the same lines 
as the team's expectations. 


IMPROVING CODE SECURITY 


Since almost everything runs on software these days, it's crucial to 
analyze code for potential vulnerabilities. An automated static code 
analyzer then acts as an additional safety net. 


CONTINUOUS CODE QUALITY 


Continuous Quality or CQ aims to provide rapid feedback to 
developers so that issues that can affect the maintainability of the 
code or contribute to the technical debt can be identified and 
corrected as early as possible. Implementing CQ also improves 
productivity during manual code reviews, giving reviewers more time 
to do high-order qualitative reviews instead of worrying about trivial 
defects. 
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Enterprise 


opportunities 


With the steady increase in the pace of software 
development today, it is also becoming increasingly vital for 
teams to ensure clean and secure code practices. 


Time spent in manual reviews involves going back and forth to fix 
issues, productivity loss, and security issues identified after 
deploying the code in production. This makes it a very tedious 
process that can highly affect team performance and delay product 
releases. 


The average developer spends more than 17 hours every week 
dealing with maintenance issues, such as debugging and refactoring. 
In addition to this, they spend approximately four hours a week on 
"bad code," which equates to nearly $85 billion worldwide in 
opportunity cost lost annually, according to Stripe's calculations on 
average developer salary by country. [3] 


Almost two-thirds of developers agree that this is "excessive" and 
believe that clear prioritization, responsibilities, and long-term 
product goals would improve their productivity. 


Every team has one goal — to build the best experience for their 
users. Failure to meet deadlines, housing a codebase that isn't 
maintainable and secure, and not having a process to prevent these 
issues, results in an inferior product, thus the poor user experience. 
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THE ECONOMIC IMPACT OF ‘BAD CODE’ 


41.1 Average hours spent on utilities (small apps for small tasks) 


173 Average hours spent by developers on bad code, 
Y debugging, refactoring, modifying 


13.5 Average hours spent on tehnical debt 
3.8 Average hours spent on bad code 
9.25% Percent productivity loss from bad code 


oe one Global GDP loss from developer time spent in 
$85 billion bad code annually 


Sources: Evans Data Corp., CIA Factbook, Stripe research 


Wasted due to bad code and 
addressing associated S) (5 of 
technical debt 0 
organizations say that increasing 


developer productivity is their 
highest priority 


9.25% 


productivity loss from fixing bad 
code according to developers 


41.1 TOTAL 
HOURS 


Average developer’s work week 


The developer coefficient, Stripe (2018) 
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This whitespace is where automated static analysis tools as offered 
by DeepSource can ease the back and forth between writing code 
and shipping it by increasing reliability and reducing the load of 
manual reviews. It's a well-known fact that developers spend a lot of 
time battling bad code when they shouldn't have to. DeepSource's 
Go analyzer can be the perfect counterpart to writing your 
production-level Go code. Static analysis tools help you fix errors 
much early in the process and save teams a lot of time otherwise 
spent on manual reviews and fixes. This way, teams can spend more 
time writing good code instead of battling with bad code. The right 
automated tools for the job act like a sidekick, systematically making 
sure you're working on a healthy, high quality, and secure codebase. 


Let us explore more advantages of using static analysis tools like 
DeepSource in the next section. 
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HIGHLY RELEVANT RESULTS WITH CONTEXT-AWARE 
ANALYSIS 


DeepSource is engineered for less than 5% false positives. You can 
also customize the results to suit your context, such as ignoring an 
issue on a file pattern or the entire repository and marking an issue 
as intentional. 


REDUCES TIME SPENT IN MANUAL CODE REVIEWS 


Be the first one to review your code in seconds. DeepSource 
decreases the turnaround time by reducing the dependency on 
manual reviews, helping you and your team discover and fix even 
hard-to-spot issues early in the development lifecycle. 


KEEPS A CHECK ON KEY CODE METRICS 


Get complete visibility of your documentation coverage, test 
coverage, external and internal dependencies, and always have 
insight into your code's health and quality. 


ENSURES INDUSTRY-STANDARD DEVELOPMENT 
PRACTICES ACROSS THE ORGANIZATION 


Enhance your software's maintainability by ensuring every developer 
in the team is adhering to the same coding conventions across the 
team. DeepSource's analyzer automatically runs on every commit and 
pull request and prevents bad code from seeping in. 
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Conclusion 


Go is beginning to be adopted outside of its traditional base 
of modern tech companies and startups, thanks to its many 
advantages. 


Today, more companies adopt Go as their server-side language to 
build out technical solutions to modern business problems. 


However, while critical factors like practicality, ease-of-use, 
performance are often cited as the key reasons developers enjoy 
building with Go, security has not been on the top of the list. The 
2020 Go Survey showed only 15% of developers use Go for 
security-related monitoring and checks, despite 68% using it for web 
programming and 48% for DevOps. The security risks with Go are as 
real as they get, and the best way to improve them is to use the right 
tools for the job. 


Enterprise teams writing Go in production need to understand the 
proper tools and practices that development teams can employ to 
keep their applications safe, reliable, and maintainable. The best way 
to do this is to adopt practices that deliver continuous quality in their 
code, as supported best by automated static analysis tools. As Go 
increasingly gains dominance across companies, having the right tool 
is becoming increasingly important to ensure their code adheres to 
their code standards and is secure, performant, and bug-free. 


B deepsource 20 


Teams are apprehensive of using different tools at different stages of 
the development cycle, as they can be challenging to implement and 
can further extend timelines. Automated tools like DeepSource's Go 
analyzer make sure you have one right fit for all your needs. It 
seamlessly integrates with your existing workflow and takes care of 
your code style and formatting, making it the perfect counterpart to 
your production Go code. 
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About DeepSource 


Enterprise 


DeepSource Enterprise is the on-premise version of the 
product, meant for companies that prefer to keep all their 
source code and data on their premises. 


DeepSource Enterprise is easily installable and can be deployed to a 
user's cloud. This gives them complete control of their data, security, 
and the flexibility they need to run DeepSource entirely on their 
terms. 


Everything we do at DeepSource is aimed at making sure your code 
health and security are always top-notch. Our product is an 
automated static code analysis tool that identifies risks and formats 
code to follow style guidelines. We achieve this by integrating with 
your existing code review workflow in GitHub, GitLab, and Bitbucket 
and automatically analyzing every commit and pull request. 


B deepsource 22 


References 


[1] https://blog.jetbrains.com/go/2021/02/03/the-state-of-go/ 


[2] httos://blog.golang.org/survey2020-results 


[3] httos://stripe.com/files/reports/the-developer-coefficient.pdf 


B deepsource 23 


